Have you ever wondered if someone was listening in on your conversation while in public? While this may be known as eavesdropping in the real world, this sort of action has a different name in the realm of cybersecurity: a man-in-the-middle attack. A man-in-the-middle (MitM) attack is one in which the hacker “may try to ‘listen’ to a conversation between two people, two systems, or a person and a system” (Baker). The “conversation” in question could be just about any type of digital communication, ranging from messages being sent between users on a social media platform to a user trying to log in to their bank account through their bank’s website. Some man-in-the-middle attacks might be utilized for espionage and to gather personal information about an individual or group, while others are used to steal sensitive data- such as banking information- that can be used to make money. Regardless of the purpose, a man-in-the-middle attack can cause quite a headache for users and companies, which is why it is important to know the basics of this type of attack as well as ways to protect against it.
Additionally, it is important to note that, while the term implies that the hacker is masculine, anyone can perform a man-in-the-middle attack. In fact, a computer can be programmed to perform a man-in-the-middle attack by itself without a human controlling it!
Some organizations and cybersecurity experts are moving away from the term “man-in-the-middle” because some might consider the language potentially biased. The term might also fail to capture instances where the entity in the middle is a bot, device or malware rather than a person.
Alternative terms for this type of cyberattack include machine-in-the-middle, on-path attack, adversary-in-the-middle (AITM) and manipulator-in-the-middle.
Lindemulder & Kosinski
Since the term “man-in-the-middle attack” is still widely known, this will be the term used for the remainder of this article.
How Does a Man-in-the-Middle Attack Work?
As the name implies, a man-in-the-middle attack is when a hacker positions themself “in between the user and the system”, two users, or two systems in order to “intercept and alter data traveling between them” (NIST). Fortinet provides a straightforward, step-by-step example of how this type of attack is carried out:
Regardless of the specific techniques or stack of technologies needed to carry out a MitM attack, there is a basic work order:
Person A sends Person B a message.
The MitM attacker intercepts the message without Person A’s or Person B’s knowledge.
The MitM attacker changes the message content or removes the message altogether, again, without Person A’s or Person B’s knowledge.
Fortinet
How an attacker manages to eavesdrop on communications between two people or machines is a bit more technical. In most cases, “a MitM attack works by exploiting vulnerabilities in network, web, or browser-based security protocols to divert legitimate traffic and steal information from victims” (Fortinet). A vulnerability is a particular flaw or weakness in a computer system. For example, imagine that there is a hole in your roof; this would be a vulnerability. It is possible you are aware of it and plan to fix it, or you may not even realize it is there. Regardless, if the hole is not patched before it starts raining, water will leak into your home; this is like a hacker exploiting a vulnerability in an application to cause harm.
In other cases, MitM attacks are less passive, using methods such as “a bot generating believable text messages, impersonating a person’s voice on a call, or spoofing an entire communications system to scrape data the attacker thinks is important from participants’ devices” (Fortinet). Instead of simply listening in on a communication, the attacker may instead be actively participating in the conversation, most often by pretending to be one of the actual people part of the conversation. These sort of man-in-the-middle attacks lean more towards being a form of social engineering, which is a category of cyber attack that involves manipulating people directly instead of hacking a machine.
A man-in-the-middle attack could also be classified as an “active wiretapping attack in which the attacker intercepts and selectively modifies communicated data to masquerade as one or more of the entities involved in a communication association” (NIST). For example, say a hacker was spying on a device. The hacker may wait until someone attempts to log in to one of their online accounts on the device; the hacker will then intercept the login request and then be able to pretend that they were, in fact, the one who sent the login request, and not the account holder. In terms of espionage, a spy that works for a government agency may be able to intercept messages between two individuals of an enemy government and then modify them to either gain further information about their plans or to purposefully mislead the individuals.
Regardless of the intent for conducting the attack, MitM attacks, in the most basic sense, serve as a way for a hacker to either intercept and modify the messages or to spy on them. There are many reasons in which a hacker may want to modify a message they intercept through a man-in-the-middle attack. For example, say a hacker has managed to eavesdrop on your device without your knowledge. You plan to visit your banking website and type in the URL in your web browser. When you hit enter, your computer sends out a message to request that webpage from the server it is stored on; however, the hacker manages to intercept this message before it reaches the server. The hacker modifies the message to instead ask for the webpage for a fake banking website meant to steal usernames and passwords and then sends it along. When the webpage is sent back to your computer, it is actually the fake website meant to steal your data and not the actual bank website.
Alternatively the attacker may simply want to spy on the communications between the two individuals and does not alter or change the messages. This is most often done to “collect personal data, passwords or banking details, and/or to convince the victim to take an action such as changing login credentials, completing a transaction or initiating a transfer of funds” (Baker). What makes this attack particularly dangerous is that it can be hard to discern whether or not someone is eavesdropping on your computer. In many cases, “[n]one of the parties sending email, texting, or chatting on a video call are aware that an attacker has inserted their presence into the conversation and that the attacker is stealing their data” (Fortinet). While there are some indicators that a man-in-the-middle attack is happening to your machine, such as “unexpected or repeated disconnections from a service… [and] having to repeatedly enter a username and password” to regain access, these symptoms could also be the result of network issues (Fortinet). This difficulty in detecting is why it is recommended to exercise caution on what sort of data you send to others through digital means. Fortunately, however, there is a layer of security that many communication services implement to make it more difficult for a hacker to steal your messages: encryption.
Since many communication services use encryption nowadays, “any data a MITM attacker intercepts will most likely need to be decrypted before the attacker can use it” (Lindemulder & Kosinski). Encryption takes the original message and encodes it using an encryption key. Once the message is encoded, it is essentially unreadable until it is decrypted. Encryption is like using a secret language or code to hide what a message really says; only the two devices handling the communication should be able to understand this “secret language” and be able to translate the message back to its original format. This makes encryption a great way to help maintain privacy while communicating virtually; furthermore, one should always opt for the strongest level of encryption possible to get the most security. Unfortunately, while it is a great layer of security to have available, it is best to keep in mind that encryption is not entirely foolproof. While it can be difficult to circumnavigate encryption, it is possible for a hacker to decrypt an encrypted message through “stealing encryption keys, running brute-force attacks or using specialized MITM attack techniques” (Lindemulder & Kosinski).
How to Stay Safe from MitM Attacks
Fortunately, staying safe from MitM attacks can be as simple as practicing good cyber hygiene. For example, avoiding the usage of public wifi can help prevent man-in-the-middle attacks. Since they are meant to be open and free to use, public wifi technology often has “fewer security protocols than home or workplace wifi,” which “makes it easier for nearby users to connect with the network. But it also makes it easier for hackers to compromise the router so they can eavesdrop on internet traffic and collect user data” (Lindemulder & Kosinksi). Since public wifi is often unsecured, it is easy for a hacker to not only gain access to the wifi network, but also eavesdrop on other users connected to that same network. This is also why you should have a strong password for your home wifi network. Furthermore, it is also key to remember that your “Wi-Fi router software, known as firmware, should be updated from time to time” in order to gain the benefits of the latest security patches (Fortinet).
When browsing the Internet, make sure that the websites you connect to are secure. When visiting websites, “look for a tiny padlock icon all the way to the left of the website URL in the browser’s address bar. It is a sign that the webpage you are visiting is secure and using the HTTPS protocol” (Fortinet). The HTTPS protocol is a more secure means of communication between your device and the website in question; thus, if a website is using HTTPS, another layer of security is added to your communications. Furthermore, it is best to ensure that the connection is encrypted to provide another layer of security. Virtual private networks, or VPNs, are often recommended by security professionals since they “encrypt the data traveling between the devices and the VPN server”, making the data much more difficult for a hacker to decipher in the event that it is intercepted (Fortinet). Not only that, but VPNs can also provide other benefits to security, such as by obscuring the geolocation of your device (this is information that gives a close estimate as to where your device physically is). Also, if your email or messaging service has an option to enable end-to-end encryption, make sure to enable it.
Keeping your device updated is another key safeguard against MitM attacks. These updates may include patches that fix known vulnerabilities in your device’s software or operating system, making it much harder for an attacker to find a way to eavesdrop on your device. While you may be tempted to put off updating your device, remember that the update might just be what keeps your device safe.
Additionally, some MitM attackers utilize other hacking attempts, such as phishing, to initially gain access to your machine and communications. Through “clicking on a malicious link in an email, a user can unknowingly launch a man-in-the browser attack. MITM attackers often rely on this tactic to infect a user’s web browser with malware that enables them to make covert changes to web pages, manipulate transactions and spy on the user’s activity” (Lindemulder & Kosinski). Thus, it is important to know how to recognize a phishing email in order to avoid falling victim to not just a phishing attempt, but also a MitM attack. Furthermore, installing anti-malware or antivirus software on your device is another great step to take to increase your overall cybersecurity and prevent attacks. That way, even if you do accidentally click on a malicious link, the antivirus software may be able to block any malware that attempts to access your device before it is too late.
Finally Fortinet, provides these three recommendations for how organizations can help their employees remain safe from man-in-the-middle attacks:
If available, deploy multi-factor authentication (MFA): So you do not rely on passwords alone, organizations should encourage the use of MFA for access to devices and online services. This practice has quickly become organizations’ best defense against threats.
Encrypt DNS traffic: The DNS is the internet’s distributed directory service. Applications use DNS to resolve a domain name to an IP address. However, when the DNS wants to connect to the external recursive DNS resolver, privacy and security become an issue because the DNS is distributed and no single security protocol exists. The handful of mechanisms that have emerged, including DNS over TLS (DoT) and DNS queries over HTTPS, encrypt DNS traffic between the user’s computer and the external DNS resolver to validate the resolver’s authenticity using certificates to ensure that no other party can impersonate the resolver.
Adopt the zero-trust philosophy: Zero trust is a security concept that requires organizations to not automatically trust anything inside or outside its perimeters. Instead, they must first verify anything trying to connect to their systems before granting access. The model is “never trust, always verify,” and it relies on continuous verification across every device, user, and application. Zero-trust approaches can prevent a MitM attack from starting or can protect an organization’s assets if a MitM attack is already underway.
Fortinet
In the end, the more measures you put in place to remain safe from man-in-the-middle attacks, the more secure your device will be. Luckily, the safeguards you can put in place to protect from MitM attacks can also help keep you safe from other sorts of threats!
Resources & Further Reading
Baker, Kurt. “What Is a Man in the Middle (MITM) Attack?” Crowdstrike.com, Crowdstrike, 17 Jan. 2025, www.crowdstrike.com/en-us/cybersecurity-101/cyberattacks/man-in-the-middle-mitm-attack/.
Fortinet. “What Is a Man-In-the Middle (MITM) Attack?” Fortinet, Fortinet, Inc., 2024, www.fortinet.com/resources/cyberglossary/man-in-the-middle-attack.
Lindemulder, Gregg, and Matt Kosinski. “What Is a Man-In-The-Middle (MITM) Attack? | IBM.” IBM, 11 June 2024, www.ibm.com/think/topics/man-in-the-middle.
NIST. “Man-In-The-Middle Attack (MitM) – Glossary | CSRC.” Csrc.nist.gov, National Institute of Standards and Technology, csrc.nist.gov/glossary/term/man_in_the_middle_attack.
The H.A.C.K.E.R. Project 
Leave a comment